Method and system for preventing unauthorized processor mode switches

ABSTRACT

A system comprising a processor adapted to activate multiple security levels for the system and a monitoring device coupled to the processor and employing security rules pertaining to the multiple security levels. The monitoring device restricts usage of the system if the processor activates the security levels in a sequence contrary to the security rules.

CROSS-REFERENCE TO RELATED APPLICATION

This application claims foreign priority to patent application EP05292787.8, filed Dec. 23, 2005. This application may relate to thecommonly-assigned, co-pending U.S. patent application entitled, “Methodand System for Preventing Unsecure Memory Accesses,” Ser. No. ______(Attorney Docket No. TI-39613) (1962-25700)), incorporated herein byreference.

BACKGROUND

Mobile electronic devices such as personal digital assistants (PDAs) anddigital cellular telephones are increasingly used for electroniccommerce (e-commerce) and mobile commerce (m-commerce). It is desiredfor the programs that execute on the mobile devices to implement thee-commerce and m-commerce functionality in a secure mode to reduce thelikelihood of attacks by malicious programs and to protect sensitivedata.

For security reasons, most processors provide two levels of operatingprivilege: a lower level of privilege for user programs; and a higherlevel of privilege for use by the operating system. The higher level ofprivilege may or may not provide adequate security for m-commerce ande-commerce, however, given that this higher level relies on properoperation of operating systems with vulnerabilities that may bepublicized. In order to address security concerns, some mobile equipmentmanufacturers implement a third level of privilege, or secure mode, thatplaces less reliance on corruptible operating system programs, and morereliance on hardware-based monitoring and control of the secure mode.U.S. Patent Publication No. 2003/0140245, entitled “Secure Mode forProcessors Supporting MMU and Interrupts,” incorporated herein byreference, describes a hardware-monitored secure mode for processors.

A flexible architecture providing a third level of privilege, such asthat described above, may be exploitable by software attacks. Thus,there exists a need for methods and related systems to eliminate thepotential for malicious software to manipulate the system into enteringa secure mode and executing non-secure instructions.

BRIEF SUMMARY

Disclosed herein are techniques for preventing unauthorized processormode switches. An illustrative embodiment includes a system comprising aprocessor adapted to activate multiple security levels for the systemand a monitoring device coupled to the processor and employing securityrules pertaining to the multiple security levels. The monitoring devicerestricts usage of the system if the processor activates the securitylevels in a sequence contrary to the security rules.

Another illustrative embodiment includes a device comprising a securitybus port adapted to couple to a processing unit comprising bits whichdetermine a security level of the processing unit. The device alsocomprises a security violation bus port coupled to the security bus portand logic coupled to the security and security violation bus ports andadapted to monitor the bits via the security bus port. If the logicdetermines that the processing unit adjusted the bits in a sequencecontrary to the security rules, the logic outputs an alert signal viathe security violation bus.

Yet another illustrative embodiment includes a method comprisingmonitoring bits in a processing unit, where the bits are indicative of asecurity level of the processing unit. The method also comprisesdetermining whether the bits indicate a switch between security levelsin a sequence contrary to a predetermined sequence stored on theprocessing unit.

NOTATION AND NOMENCLATURE

Certain terms are used throughout the following description and claimsto refer to particular system components. As one skilled in the art willappreciate, various companies may refer to a component by differentnames. This document does not intend to distinguish between componentsthat differ in name but not function. In the following discussion and inthe claims, the terms “including” and “comprising” are used in anopen-ended fashion, and thus should be interpreted to mean “including,but not limited to.” Also, the term “couple” or “couples” is intended tomean either an indirect or direct connection. Thus, if a first devicecouples to a second device, that connection may be through a directconnection, or through an indirect connection via other devices andconnections.

BRIEF DESCRIPTION OF THE DRAWINGS

For a more detailed description of the preferred embodiments of thepresent invention, reference will now be made to the accompanyingdrawings, wherein:

FIG. 1 shows a computing system constructed in accordance with at leastsome embodiments of the invention;

FIG. 2 shows a portion of the megacell of FIG. 1 in greater detail, andin accordance with embodiments of the invention;

FIG. 3 shows various security modes used by the system of FIG. 1, inaccordance with embodiments of the invention; and

FIG. 4 shows a flow diagram of an exemplary method in accordance withembodiments of the invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

The following discussion is directed to various embodiments of theinvention. Although one or more of these embodiments may be preferred,the embodiments disclosed should not be interpreted, or otherwise used,as limiting the scope of the disclosure, including the claims, unlessotherwise specified. In addition, one skilled in the art will understandthat the following description has broad application, and the discussionof any embodiment is meant only to be exemplary of that embodiment, andnot intended to intimate that the scope of the disclosure, including theclaims, is limited to that embodiment.

FIG. 1 shows a computing system 100 constructed in accordance with atleast some embodiments of the invention. The computing system 100preferably comprises the ARM® TrustZone® architecture, but the scope ofdisclosure is not limited to any specific architecture. The computingsystem 100 may comprise a multiprocessing unit (MPU) 10 coupled tovarious other system components by way of a bus 11. The MPU 10 maycomprise a processor core 12 that executes applications, possibly byhaving a plurality of processing pipelines. The MPU 10 may furthercomprise a security state machine (SSM) 56 which, as will be more fullydiscussed below, aids in allowing the computer system 100 to enter asecure mode for execution of secure software, such as m-commerce ande-commerce software.

The computing system 100 may further comprise a digital signal processor(DSP) 16 that aids the MPU 10 by performing task-specific computations,such as graphics manipulation and speech processing. A graphicsaccelerator 18 may couple both to the MPU 10 and DSP 16 by way of thebus 11. The graphics accelerator 18 may perform necessary computationsand translations of information to allow display of information, such ason display device 20. The computing system 100 may further comprise amemory management unit (MMU) 22 coupled to random access memory (RAM) 24by way of the bus 11. The MMU 22 may control access to and from the RAM24 by any of the other system components such as the MPU 10, the DSP 16and the graphics accelerator 18. The RAM 24 may be any suitable randomaccess memory, such as synchronous RAM (SRAM) or RAMBUS™-type RAM.

The computing system 100 may further comprise a USB interface 26 coupledto the various system components by way of the bus 11. The USB interface26 may allow the computing system 100 to couple to and communicate withexternal devices.

The SSM 56, preferably a hardware-based state machine, monitors systemparameters and allows the secure mode of operation to initiate such thatsecure programs may execute from and access a portion of the RAM 24.Having this secure mode is valuable for any type of computer system,such as a laptop computer, a desktop computer, or a server in a bank ofservers. However, in accordance with at least some embodiments of theinvention, the computing system 100 may be a mobile (e.g., wireless)computing system such as a cellular telephone, personal digitalassistant (PDA), text messaging system, and/or a computing device thatcombines the functionality of a messaging system, personal digitalassistant and a cellular telephone. Thus, some embodiments may comprisea modem chipset 28 coupled to an external antenna 30 and/or a globalpositioning system (GPS) circuit 32 likewise coupled to an externalantenna 34.

Because the computing system 100 in accordance with at least someembodiments is a mobile communication device, computing system 100 mayalso comprise a battery 36 which provides power to the variousprocessing elements. The battery 36 may be under the control of a powermanagement unit 38. A user may input data and/or messages into thecomputing system 100 by way of the keypad 40. Because many cellulartelephones also comprise the capability of taking digital still andvideo pictures, in some embodiments the computing system 100 maycomprise a camera interface 42 which may enable camera functionality,possibly by coupling the computing system 100 to a charge couple device(CCD) array (not shown) for capturing digital images.

Inasmuch as the systems and methods described herein were developed inthe context of a mobile computing system 100, the remaining discussionis based on a mobile computing environment. However, the discussion ofthe various systems and methods in relation to a mobile computingenvironment should not be construed as a limitation as to theapplicability of the systems and methods described herein to just mobilecomputing environments.

In accordance with at least some embodiments of the invention, many ofthe components illustrated in FIG. 1, while possibly available asindividual integrated circuits, are preferably integrated or constructedonto a single semiconductor die. Thus, the MPU 10, digital signalprocessor 16, memory controller 22 and RAM 24, along with some or all ofthe remaining components, are preferably integrated onto a single die,and thus may be integrated into a computing device 100 as a singlepackaged component. Having multiple devices integrated onto a singledie, especially devices comprising a multiprocessor unit 10 and RAM 24,may be referred to as a system-on-a-chip (SoC) or a megacell 44. Whileusing a system-on-a-chip may be preferred, obtaining the benefits of thesystems and methods as described herein does not require the use of asystem-on-a-chip.

FIG. 2 shows a portion of the megacell 44 in greater detail. Theprocessor 46 comprises a core 12, a memory management unit (MMU) 22 anda register bank 80 including a current program status register (CPSR) 82and a secure configuration register (SCR) 84, described further below.The processor 46 couples to a security state machine (SSM) 56 by way ofa security monitoring (SECMON) bus 73, also described below. Theprocessor 46 couples to the RAM 24 and ROM 48 by way of an instructionbus 50, a data read bus 52 and a data write bus 54. The instruction bus50 may be used by the processor 46 to fetch instructions for executionfrom one or both of the RAM 24 and ROM 48. Data read bus 52 may be thebus across which data reads from RAM 24 propagate. Likewise, data writesfrom the processor 46 may propagate along data write bus 54 to the RAM24.

The ROM 48 and the RAM 24 are partitioned into public and securedomains. Specifically, the ROM 48 comprises a public ROM 68, accessiblein non-secure mode, and a secure ROM 62, accessible in secure mode.Likewise, the RAM 24 comprises a public RAM 64, accessible in non-securemode, and a secure RAM 60, accessible in secure mode. In at least someembodiments, the public and secure domain partitions in the ROM 48 andthe RAM 24 are virtual (i.e., non-physical) partitions generated andenforced by the MMU 22. The SSM 56 monitors the MMU 22 for securitypurposes via bus 25, as described further below.

Secure ROM 62 and secure RAM 60 preferably are accessible only in securemode. In accordance with embodiments of the invention, the SSM 56monitors the entry into, execution during and exiting from the securemode. The SSM 56 preferably is a hardware-based state machine thatmonitors various signals within the computing system 100 (e.g.,instructions on the instruction bus 50, data writes on the data writebus 52 and data reads on the data read bus 54) and activity in theprocessor core 12 through SECMON bus 73.

Each of the secure and non-secure modes may be partitioned into “user”and “privileged” modes. Programs that interact directly with anend-user, such as a web browser, are executed in the user mode. Programsthat do not interact directly with an end-user, such as the operatingsystem (OS), are executed in the privileged mode. By partitioning thesecure and non-secure modes in this fashion, a total of four modes aremade available. As shown in FIG. 3, in order of ascending securitylevel, these four modes include the non-secure user mode 300, thenon-secure privileged mode 302, the secure user mode 306, and the secureprivileged mode 304. There is an intermediate monitor mode 308,described further below, between the modes 302 and 304. The computersystem 100 may operate in any one of these five modes at a time.

The computer system 100 may switch from one mode to another. FIG. 3illustrates a preferred mode-switching sequence 298. The sequence 298 ispreferred because it is more secure than other possible switchingsequences. For example, to switch from the non-secure user mode 300 tothe secure privileged mode 304, the system 100 should first pass throughnon-secure privileged mode 302 and the monitor mode 308. Likewise, topass from the secure user mode 306 to the non-secure user mode 300, thesystem 100 should switch from the secure user mode 306 to the secureprivileged mode 304, from the secure privileged mode 304 to the monitormode 308, from the monitor mode 308 to the non-secure privileged mode302, and from the non-secure privileged mode 302 to the non-secure usermode 300.

Each mode switch is enacted by the adjustment of bits in the CPSR 82 andthe SCR 84. The CPSR 82 comprises a plurality of mode bits. The statusof the mode bits determines which mode the computer system 100 is in.Each mode corresponds to a particular combination of mode bits. The modebits may be manipulated to switch modes. For example, the bits may bemanipulated to switch from mode 300 to mode 302.

the SCR 84 comprises a non-secure (NS) bit. The status of the NS bitdetermines whether the computer system 100 is in secure mode ornon-secure mode. In at least some embodiments, an asserted NS bitindicates that the system 100 is in non-secure mode. In otherembodiments, an asserted NS bit indicates that the system 100 is insecure mode. Adjusting the NS bit switches the system 100 between secureand non-secure modes. Because the status of the NS bit is relevant tothe security of the system 100, the NS bit preferably is adjusted onlyin the monitor mode 308, since the monitor mode 308 is, in at least someembodiments, the most secure mode.

More specifically, when the system 100 is in the monitor mode 308, theprocessor 46 executes monitor mode software (not specifically shown) onthe secure ROM 62, which provides a secure transition from thenon-secure mode to the secure-mode, and from the secure mode to thenon-secure mode. In particular, the monitor mode software performsvarious security tasks to prepare the system 100 for a switch betweenthe secure and non-secure modes. The monitor mode software may beprogrammed to perform security tasks as desired. If the processor 46determines that these security tasks have been properly performed, themonitor mode software adjusts the NS bit in the SCR register 84, therebyswitching the system 100 from non-secure mode to secure mode, or fromsecure mode to non-secure mode.

The NS bit and the CPSR bits are provided by the processor 46 to the SSM56 via the SECMON bus 73. The SSM 56 uses the SECMON bus 73 to monitorany mode switches enacted by the processor 46. For example, if thesystem 100 switches from the non-secure user mode 300 to the non-secureprivileged mode 302, the CPSR mode bits on the SECMON bus 73 reflect themode switch. The SSM 56 receives the updated CPSR mode bits anddetermines that the system 100 has switched from the non-secure usermode 300 to the non-secure privileged mode 302. Likewise, if the system100 switches from the non-secure privileged mode 302 to the secureprivileged mode 304, the processor 46 updates the CPSR mode bits toreflect the mode switch, and further unasserts the NS bit in the SCR 84to reflect the switch from the non-secure mode to the secure mode. Uponreceiving the updated CPSR mode bits and the NS bit, the SSM 56determines that the system 100 has switched from the non-secure mode tothe secure mode and, more specifically, from the non-secure privilegedmode 302 to the secure privileged mode 304.

The SSM 56 uses the SECMON bus 73 in this way to ensure that theprocessor 46 does not take any action that may pose a security risk. Forexample, for security reasons, the processor 46 preferably adjusts theNS bit in the SCR 84 only when the system 100 is in the monitor mode308. The SSM 56 uses the SECMON bus 73 to ensure that the processor 46does not adjust the NS bit when the system 100 is not in monitor mode308. Thus, if the SSM 56 detects that the NS bit is being adjusted bythe processor 46 and the CPSR 82 mode bits indicate that the system 100is in the monitor mode 308, the SSM 56 takes no action. However, if theSSM 56 detects that the NS bit is being adjusted and the CPSR mode bitsindicate that the system 100 is not in monitor mode 308 (e.g., thesystem 100 is in one of the modes 300, 302, 304 or 306), the SSM 56 mayreport a security violation to the power reset control manager 66 viathe security violation bus 64. The power reset control manager 66 thenmay reset the system 100. The SSM 56 also may take any of a variety ofalternative actions to protect the computer system 100. Examples of suchprotective actions are provided in the commonly owned patent applicationentitled, “System and Method of Identifying and Preventing SecurityViolations Within a Computing System,” U.S. patent application Ser. No.10/961,748, incorporated herein by reference.

In addition to monitoring the NS bit and/or CPSR bits, the SSM 56 alsomay use the SECMON bus 73 to ensure that when switching modes, theprocessor 46 does not deviate from the preferred mode switching pathshown in FIG. 3. In particular, the SSM 56 monitors the CPSR bitsprovided on the SECMON bus 73. Each mode (e.g., mode 300, 302, 304, 306,and 308) corresponds to a particular combination of CPSR bits. Bydecoding the CPSR bits provided on the SECMON bus 73, the SSM 56determines the mode in which the computer system 100 is operating. If,in decoding the CPSR bits, the SSM 56 determines that the processor 46has performed an illegal mode switch (e.g., from mode 300 to mode 304without first passing through modes 302 and 308), the SSM 56 reports asecurity violation to the power reset control manager 66 via thesecurity violation bus 64. The SSM 56 alternatively may take any othersuitable action(s) to protect the computer system 100, such as thosedisclosed in the U.S. patent application Ser. No. 10/961,748 referencedabove.

In addition to monitoring the NS bit, the SSM 56 also may use the SECMONbus 73 in conjunction with the MMU bus 25 to monitor the MMU 22 and toensure that the MMU's activities do not compromise the security of thecomputer system 100. For example, for security reasons, it isundesirable for the MMU 22 to be disabled when switching from non-securemode to secure-mode. Accordingly, the SSM 56 checks bus 25 to ensurethat the MMU 22 is enabled when the NS bit on the SECMON bus 73indicates that the system 100 is switching from the non-secure mode tothe secure mode. For example, if the MMU 22 is disabled when the NS bitis unasserted, the SSM 56 reports a security violation to the powerreset control manager 66 via the security violation bus 64.Alternatively, the SSM 56 may take any of the protective actionsmentioned above.

For security reasons, it is also undesirable to fetch instructions frompublic (i.e., unsecure) memory when in the secure or monitor modes. Forthis reason, the SSM 56 may monitor both the instruction bus 50 and theSECMON bus 73 to ensure that while the system 100 is in either themonitor mode or secure mode, the processor 46 does not fetch aninstruction from the public ROM 68 and/or the public RAM 64. If the SSM56 detects that an instruction tagged as “unsecure” is fetched on theinstruction bus 50 while bits on the SECMON bus 73 indicate that thesystem 100 is in monitor or secure mode, the SSM 56 reports a securityviolation to the power reset control manager 66 via the securityviolation bus 64. The SSM 56 also may take alternative measures toprotect the computer system 100 as mentioned above.

For security reasons, it is also undesirable to read data from and/orwrite data to public (i.e., unsecure) memory when in the monitor mode.For this reason, the SSM 56 may monitor the data read bus 52, the datawrite bus 54 and the SECMON bus 73 to ensure that the processor 46 doesnot read data from and/or write data to either the public ROM 68 and/orthe public RAM 64 while the system 100 is in the monitor mode. Forexample, if the SSM 56 detects that data read from the public ROM 68 isbeing carried on the data read bus 52 while bits on the SECMON bus 73indicate that the system 100 is in the monitor mode, the SSM 56 reportsa security violation to the power reset control manager 66 or takes someother suitable, protective measure. In another example, if the SSM 56detects that data is being written to the public RAM 64 via data writebus 54 and the SECMON bus 73 indicates that the system 100 is in monitormode, the SSM 56 takes a suitable, protective measure (e.g., reports asecurity violation to the power reset control manager 66).

FIG. 4 illustrates a flow diagram of a process 400 used to monitor thecomputer system 100 for at least some of the security violationsmentioned above. The process 400 begins by monitoring the processor 46using the SSM 56 (block 402). The process 400 further comprisesdetermining whether one or more of the CPSR mode bits have been altered(block 404). As mentioned above, the SSM 56 determines whether one ormore of the CPSR mode bits have been altered by monitoring the SECMONbus 73. If any of the CPSR mode bits have been altered, the process 400comprises determining whether an illegal mode switch has occurred (block406). An illegal mode switch may be, for example, a deviation from thepreferred mode switching pattern shown in FIG. 3. The pattern may bestored, for instance, on the CPU 46 or on one of the memories 24 or 48.If an illegal mode switch has occurred, the process 400 comprisesreporting a security violation and taking one or more suitable,protective measures (block 408).

Otherwise, the process 400 then comprises using the SECMON bus 73 todetermine whether the NS bit is being changed (block 410). If the NS bitis being changed, the process 400 comprises using the CPSR bits on theSECMON bus 73 to determine whether the change is occurring (or occurred)with the computer system 100 in the monitor mode (block 412). If thechange in the NS bit is occurring (or occurred) with the computer system100 in a mode other than the monitor mode, the process 400 comprisesreporting a security violation and taking one or more suitable,protective measures (block 408).

The above discussion is meant to be illustrative of the principles andvarious embodiments of the present invention. Numerous variations andmodifications will become apparent to those skilled in the art once theabove disclosure is fully appreciated. It is intended that the followingclaims be interpreted to embrace all such variations and modifications.

1. A system, comprising: a processor adapted to activate multiple security levels for the system; and a monitoring device coupled to the processor and employing security rules pertaining to said multiple security levels; wherein the monitoring device restricts usage of the system if the processor activates said security levels in a sequence contrary to the security rules.
 2. The system of claim 1, wherein the monitoring device determines that the processor has activated said security levels in the sequence contrary to the security rules by monitoring a plurality of bits stored on the processor, said bits indicative of a current security level.
 3. The system of claim 2, wherein the monitoring device restricts usage of the system if said bits are altered in a pattern contrary to a predetermined pattern stored on the system.
 4. The system of claim 1, wherein said security levels are partitioned into secure and non-secure modes with an intermediate mode between said secure and non-secure modes, and wherein the system switches between the secure and non-secure modes by adjusting a single bit stored on the processor, said bit adjusted only in the intermediate mode.
 5. The system of claim 4, wherein the monitoring device restricts usage of the system if said single bit is adjusted in a mode other than the intermediate mode.
 6. The system of claim 1, wherein the monitoring device restricts usage of the system by causing the system to be reset.
 7. The system of claim 1, wherein the monitoring device restricts usage of the system by blocking execution of software that causes the processor to activate the security levels in the sequence contrary to the security rules.
 8. The system of claim 1, wherein the system comprises a wireless communications device.
 9. A device, comprising: a security bus port adapted to couple to a processing unit comprising bits which determine a security level of the processing unit; a security violation bus port coupled to the security bus port; and logic coupled to the security and security violation bus ports and adapted to monitor said bits via the security bus port; wherein, if the logic determines that the processing unit adjusted the bits in a sequence contrary to said security rules, the logic outputs an alert signal via the security violation bus.
 10. The device of claim 9 further comprising: wherein said security levels comprise a secure mode, a non-secure mode and an intermediate mode between the secure and non-secure modes; wherein the processing unit switches between the secure and non-secure modes by adjusting one of said bits stored on the processing unit; wherein the logic permits the processor to adjust the one of said bits only while in the intermediate mode.
 11. The device of claim 10, wherein the logic outputs said alert signal if the processor adjusts the one of said bits in a mode other than the intermediate mode.
 12. The device of claim 9, wherein said alert signal causes the processing unit to be reset.
 13. The device of claim 9, wherein said alert signal causes software running on the processing unit to be aborted.
 14. The device of claim 9, wherein the device comprises a mobile communication device.
 15. A method, comprising: monitoring bits in a processing unit, said bits indicative of a security level of the processing unit; and determining whether said bits indicate a switch between security levels in a sequence contrary to a predetermined sequence stored on the processing unit.
 16. The method of claim 15 further comprising restricting usage of the processing unit if said bits indicate the switch between security levels in the sequence contrary to the predetermined sequence.
 17. The method of claim 16, wherein restricting usage of the processing unit comprises resetting the processing unit.
 18. The method of claim 16, wherein restricting usage of the processing unit comprises preventing execution of software that causes said switch between security levels in the sequence contrary to the predetermined sequence.
 19. The method of claim 15, wherein said security levels are partitioned into secure and non-secure modes activated by adjusting a single bit, and wherein determining whether said bits indicate the switch between security levels in the sequence contrary to the predetermined sequence comprises determining whether said single bit is adjusted in a mode other than a monitor mode between the secure and non-secure modes. 